HPE Community
Web and Unmanaged
1751791 Members
5108 Online
108781 Solutions
New Discussion юеВ

setting up vlan on 1920 switches

 
SOLVED
Go to solution
Lewis2412
Occasional Advisor

тАО09-08-2016 09:41 AM

тАО09-08-2016 09:41 AM

setting up vlan on 1920 switches

I am trying to setup a VLAN but my first attempt has created a loopback. I will explain what I did and any help/suggestions are appreciated.

I have three HP 1920 switches, each in separate buildings. Switch1 is on network 172.x.x.x, while Switch2 and Switch3 are on the same 10.x.x.x network. Switch1 is connected to Switch2 and Switch2 is connected to Switch3. Switch3 is connected to the firewall and provides the Internet connection for all three buildings. I need the 172.x.x.x network to passthrough Switch2 and Switch3 to the firewall for Internet service but the two networks must not see each other. 

I created VLAN 30 on Switch2 and Switch3 using ports 23 and 24 on each switch. I then connected port 24 on Switch1 to port 23 on Switch2, and connected port 24 on Switch2 to port 23 on Switch3. And finally connected port 24 on Switch3 to port 3 on the firewall. I was able to get internet access on the 173.x.x.x network. The next step I took was to connect the 10.x.x.x network to the Internet by connecting port 1 on Switch2 to port 1 on Switch3, and then port 2 on Switch3 to port 2 on the firewall. This is when I got the loopback error because Switch2 and Switch3 are connected to each other twice via the separate VLANs. 

What do I need to do to correct this problem? Is there a better way to keep the networks separate? 

0 Kudos
7 REPLIES 7
Ian Vaughan
Honored Contributor

тАО09-08-2016 11:29 AM

тАО09-08-2016 11:29 AM

Solution

Re: setting up vlan on 1920 switches

Hello,

Quick summary: 

Let us assume that you only have VLAN 30 (where the 172 addresses live) and VLAN 1 (where the 10.x addresses live) in play in your network.

Let us assume that you have local access to the switches and that you are not remotely connected and furthermore that the firewall provides the default gateway for the 10 network and the 172 network. I have gone for the simplest approach possible rather than try and show you too many things at once...

Problem - You need to get VLAN 30 all the way through the network from the user ports of Sw1 to port3 on the firewall without it "touching" vlan1.

So - 

On switch 1:

Make all of the user facing ports part of vlan 30

(you may want to keep one solitary physical port in vlan 1 if you are keeping the management address in vlan 1 - just so you can plug in with your laptop and get local access to the management IP). 

Make the uplink port 24 - a trunk port - untagged (aka PVID) for vlan 1 and tagged for vlan30

Enable spanning tree

On switch 2

vlan 30 - no ip address needed - layer 2 only - user facing ports in vlan1 - management IP addres in VLAN1. 

Make uplink port 23 a trunk untagged (aka PVID ) VLAN1 and tagged for vlan 30 

Configure ports 1 & 24  - bind them together into a Link Aggregate Group or Lagg. (use LACP option).

Make the new bagg1  interface a "trunk" link with VLAN 1 as the pvid / untagged and vlan 30 as a tagged vlan. 

enable spanning tree

On Switch 3

vlan 30 - no ip address needed - layer 2 only - user facing ports in VLAN1 & management IP address in vlan1.

Configure ports 1 & 23 into a link aggregate group - use LACP option.

Make the new bagg1 interface a trunk link with pvid / untagged vlan 1 and vlan 30 tagged 

Put port 24 as an untagged "access" port in vlan 30 as this will interface with P3 on the firewall. 

Enable spanning tree

You should now have reachability at the MAC address level between a PC host connected into SW1 all the way through to port 3 on the firewall. 

Let us know how you progress and if you come across any gotchas. 

Kudos and solved buttons help others find useful posts - please give us a click if this helps you.

many thanks

Ian 

 

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
Lewis2412
Occasional Advisor

тАО09-08-2016 01:56 PM

тАО09-08-2016 01:56 PM

Re: setting up vlan on 1920 switches

Thanks for the reply Ian! I followed your instructions and am not quite setup yet. So far VLAN1 is working properly from Switch1 and Switch2, but VLAN30 is not responding at all. It is definitely not looping now as VLAN30 does not connect even if I disconnect the link connecting Switch2 and Switch3 for VLAN1. 

When setting up spanning tree, it appears that the Global STP is enabled. I enabled the Region STP for VLAN1 and VLAN30. I am not sure if that was what I was supposed to do? Either way VLAN30 is not connecting to the firewall or even the other switches.

0 Kudos
Ian Vaughan
Honored Contributor

тАО09-08-2016 04:12 PM

тАО09-08-2016 04:12 PM

Re: setting up vlan on 1920 switches

Hello,

Don't forget that VLAN30 has no intelligence as far as the switches are concerned in this scenario. All you are doing is making a "virtual channel" across the network to connect the hosts to the firewall. You will need some tame devices on the network to do a little testing. I shall try and explain what I mean.

A quick checklist:

Do all 3 switches have vlan 30 configured? It just has to exist in the vlan list - no iP address needed.

Can you temporarily put one port in SW3 into vlan 30 as an access port.

A temp device in a vlan 30 access port in SW3 should be a good local test that the firewall is doing what it needs to do - DHCP, routing etc. - as it should easily be able to talk to the firewall in another vlan 30 access port in the same switch. If that doesn't work you have a firewall issue - if it does work we can assume we have a good firewall and we can move up the stack.

Check that the link between SW3 and SW2 is carrying vlan 30 as a tagged vlan in addition to untagged vlan 1 over the trunk.

Go through the same procedure as above but this time on SW2  - put a single access port on vlan 30 and make sure you are getting the same services from the firewall. You are simply extending that layer 2 network within VLAN 30 to SW2 using the tags and the trunk link.

If that works you are half way there.

Check the "lagg" link between the SW2 and SW1 and make sure that it is carrying tagged vlan 30 and untagged / native / pvid VLAN 1.

Does Sw1 now have all user ports as "access" ports in vlan 30?

You are making sure that VLAN 30 traffic gets carried onto the network and over the trunks between the intervening switches to the access port where the firewall is.

Do you have a "pingable" device (i.e. something other than a windows PC with a personal firewall) that you can use for testing?

Two would be even better as you could leave one in SW1 and move the other between the temporary vlan 30 access ports yuo made in switches 2 and 3 and test that the pings are going over the trunks.

I don't think that you are too far away and I hope it is becoming clearer. 

When it is all up and worked remember to revet the "temp test" ports in vlan 30 on switches 2 and 3 back to vlan 1.

The spanning tree thing is a "just in case" really and shouldn't impact your connectivity if you only have one logical link between each pair of switches (the Lagg only counts as one).

Let us know when you have the eureka moment and get teh clients talking to the firewall .

Thanks

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
0 Kudos
Lewis2412
Occasional Advisor

тАО09-09-2016 07:48 AM

тАО09-09-2016 07:48 AM

Re: setting up vlan on 1920 switches

You're a genious Ian! :) I had accidentally set lagg for VLAN30 on Switch2 as untagged. Once I corrected that everything started working properly. Thank you so much for your time! 

0 Kudos
Ian Vaughan
Honored Contributor

тАО09-09-2016 08:07 AM

тАО09-09-2016 08:07 AM

Re: setting up vlan on 1920 switches

No problem. I'm glad you got it working. 

Don't forget to save your configurations on the switches (just in case they get powered off at some point). 

It is also worth backing up the configurations to another server or put them somewhere safe off the network in case a switch suffers a malfunction or accident and you have to restore a configuration from scratch. 

You'll be glad to know that I've set your scenario as a little exercise for some of my colleagues who are learning the ropes of networking. If you've grasped the concepts of subnets, VLANs, access ports, trunks, LAGGs etc you are doing well and with a bit of subnet mask practice you'll be well on the way getting your first "belt" in the martial art of Network-Fu.

:-) 

many thanks

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
Lewis2412
Occasional Advisor

тАО09-09-2016 09:01 AM

тАО09-09-2016 09:01 AM

Re: setting up vlan on 1920 switches

That's awesome! I hope it is a good exercise for them too. :)

I have saved the configs and set them to be backed up on the normal rotation. I have a supplemental question or two if you do not mind. At some point we will want to add a guest wifi to SW2 that is separate from VLANs 1 and 30. We can connect to port 4 on the firewall so that they are on a completely different network. I'll likely put the wifi on port 22 on SW2 as VLAN40. I imagine I'll just do the same procedure for VLAN40 as I did to VLAN30? Then use port3 on SW3 to connect to port4 on the firewall? 

This brings up another question. Is there a way to just use one link from SW2 to SW3 in this scenario? One link is fiber and the other is copper. We would like to remove the copper link if possible.

Thanks for your help!

0 Kudos
Ian Vaughan
Honored Contributor

тАО09-09-2016 12:21 PM

тАО09-09-2016 12:21 PM

Re: setting up vlan on 1920 switches

Hello,

Ok a couple of points to cover:

  1. Yes. You can add new networks to the design just by adding
    1. The vlan config on each switch
    2. Some access ports for clients and one for a firewall
    3. The tagged vlan to the trunk links between switches
  2. You can "break up" / delete the lagg config and turn the single port that you want to use on each side as a trunk type interface with untagged vlan 1 and tagged vlan 30

Just bear in mind that your traffic between SW1 and the firewall now depends on a whole sequence of single components and if you don't have the LAGGs between switches you don't take advantage of the redundancy that they offer.

Thanks

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.